There is an adage that states all press is good press, but when it comes to data security, nothing could be further from the truth. For organizations that outsource their print and mail communications, being in the news is rarely, if ever, a positive—which is why it’s important to establish the proper systems for securing customers’ sensitive data.
Statistics around data breaches have grown even more alarming in recent years, particularly for ransomware attacks, where malicious software locks a device’s data and demands a ransom before restoring access. Today, the average ransomware demand clocks in at $247K, with the average ransomware payment closer to $952K. Only four percent of companies who pay the full amount are able to retrieve all of their lost data, and the cost of recovering from such an attack exceeds $1.8 million. These staggering figures, which are expected to continue climbing throughout 2023, demonstrate the increasing severity of such attacks, not to mention the devastating financial consequences of damaged brand reputation.
With data breaches, hacking incidents, and multi-million-dollar fines showing up in the news headlines continually, the old days of encryption keys just don’t cut it anymore. Today, the focus must be on leveraging technology in a way that keeps your files, your customers’ data, and you absolutely secure and able to sleep at night.
The word “compliance” often arises in conversations about data security, but the idea that regulatory compliance is synonymous with security is an unfortunate misconception. While regulations tend to include common elements, such as risk assessment, access control, and vendor management, many breaches often result from negligence from within the organization rather than an attempt by an outside party to gain access to protected data.
By following these six considerations, it’s possible to fill in the gaps of a compliance-only strategy while also anticipating changes to the cybersecurity landscape.
1. Adopt a prevention mindset. To transform your approach to data security and compliance, it’s critical to take a strategic, long-term view that’s laser-focused on prevention. One place to start is by seeking out a customer communications management (CCM) software solution that travels with the data to safeguard it against breaches at every step. No matter what solution you choose, it needs to be able to keep pace with the rapidly and constantly evolving trends in cybercrime.
2. Reference the CIS Critical Security Controls standards. As you’re assessing risks, take advantage of the established industry standards from the nonprofit Center for Internet Security (CIS). Formerly known as the SANS Critical Security Controls, the CIS Critical Security Controls (also called CIS Controls) are a set of 18 recommended actions designed to protect organizations and data from the most prevalent types of cyberattacks. Ranging from inventory of enterprise assets to access control management, security awareness, skills training, and web browser protections, this set of controls offers helpful guidance for mitigating risk in all areas of the enterprise.
3. Look for a CCM tool that’s built with data security in mind. Many companies that outsource their customer communications cobble together software products from multiple vendors, each serving a single purpose within the workflow. However, this patchwork approach to organizational workflow complicates integration, in addition to increasing the likelihood of a breach. Instead of using multiple platforms, protecting the security of customer data means identifying and integrating a comprehensive CCM platform that’s designed to deliver the highest possible level of security while also offering compliance tracking, reporting and enforcement.
4. Be aware of industry-specific regulations and expect continued updates to privacy laws. To meet the stringent requirements of vertical-specific regulations like HIPAA, PCI, FISMA, SSA16, and GDPR, data must be encrypted. Even if they manage to steal a piece of encrypted personal data, hackers won’t be able to access it without the privacy key. As consumers increasingly put pressure on legislators to protect them from the consequences of data breaches, including identity theft, privacy regulations are only expected to become increasingly numerous and strict. In 2022 alone, state legislatures introduced a combined total of nearly 200 consumer privacy bills. Additionally, five different states — California, Colorado, Connecticut, Utah, and Virginia — have already enacted comprehensive privacy laws.
5. Settle for nothing less than end-to-end encryption. To address industry-critical compliance issues, your software needs protection embedded into the data file, allowing it to travel through the workflow with constant encryption. In a typical multi-step workflow, data is unencrypted while at rest, with duplicate files commonly stored in multiple locations. Instant response and tracking are also unavailable in a typical multi-step workflow. All told, these common aspects widen the margin for human error significantly. On the other hand, a true closed-loop workflow protects data from receipt to output and keeps files encrypted through the full duration of their lifecycle. Additionally, closed-loop workflows track and send status notifications immediately, keep logs of all access and allow data owners to set protective rules, such as those for expiration and shredding. Unlike a typical workflow, this type of intelligent protection technology provides the optimum security available, minimizing your risk of breaches and costly penalties.
6. Ensure disaster recovery and emergency preparedness. Unfortunately, ransomware and other cyberattacks are here to stay and the statistical likelihood that your organization will be affected is less a matter of “if” than “when.” In addition to taking steps to prevent a breach, it’s important to establish a disaster recovery plan that includes a chain of command, as well as contact information for team members, procedures for various levels of breach severity and a plan that establishes who should be contacted and when. Most importantly, since your online system is the one most likely to be affected by ransomware, it’s critical to have an offline backup of information that isn’t accessible via a network. This will allow you to restore normal business operations after a ransomware attack.
When it comes to customers’ personal data, the words “compliance” and “security” are often heard in tandem. However, following industry-specific regulations for data security isn’t enough to prevent a breach. With greater awareness of the landscape of cyberattacks — plus, a comprehensive CCM software designed with security as a focus — it’s possible to anticipate these rapidly evolving security demands in a way that protects the reputation and future of your company.
Alexandria Gregory is Vice President of Client Services at Transformations, Inc., developer of Uluro, a comprehensive customer communications management (CCM) software. Visit www.uluro.com or LinkedIn for more information.
This article originally appeared in the July/August, 2023 issue of Mailing Systems Technology.